Who’s Behind Operation Huyao?

As previously discussed Operation Huyao is a well-designed phishing scheme that relys on relay/proxy sites that pull content directly from their target sites to make their phishing sites appear to be more realistic and believable.

Only one such attack, targeting a well-known Japanese site, has been documented. No other sites have been targeted by this attack.Publicly available information suggests that the persons who registered the domains used in this attack are located in China.

Because Huyao has a very specific URL pattern, it is easy to identify web servers that were seving as Huyao proxies. Most of these were located in the United States, with smaller numbers located in Hong Kong and France.

Table 1. Countries with Huyao-related servers

Approximately 316 domains have been used by Huyao. These domains appear to have been created by the attackers, and there is no indication that any compromised sites were used. The Whois records for these sites indicate that the email addresses on file for the administrators of these domains belong to free mail providers: Hotmail, QQ, and Gmail were the most popular providers used by the attackers.

Table 2. Email providers used in Huyao-related domain registration

Lin Xiansheng (gillsaex@hotmail.com) and Lirong Shi (44501666@qq.com) were the two individuals most identified as owners of these domains

According to Whois information, Lin is a resident of Xiamen, located in the southeastern province of Fujian in China. He appears to have registered a total of 196 domains, with four of these registrations already lapsed or otherwise no longer valid. (Below is some of the Whois information characteristic of the domains that were registered under this name, based on the Whois information of fffls.com:

Whois records of another domain (now seized due to abuse) also connect Lin to a second email address, 339647674@qq.com. Lin used a slightly different physical address for the domains linked to the qq.com address, but its location was still in Xiamen,

Lirong Shi registered even more domains: 417 in total, with six of those no longer active. Whos records place him in the city of Jinjiang, also in Fujian province.

Other information confirms that Lirong Shi is located in China. Postings in online forums indicated that several years ago, he was allegedly buying devices from Japan and selling them in China:

Figure 2. Previous advertisement by 44501666@qq.com

The Whois information strongly indicates that the individuals who registered the domains used in Operation Huyao are located in China. The fact that the domains linked to Operation Huyao were registered during working hours in China – with peaks at 9AM and 1PM – seems to support this conclusion. However, this alone cannot be regarded as conclusive proof.

Figure 3. Time of domain registration

Countermeasures

For website owners, protection from such attacks boils down to one goal: rejecting the access of the unexpected. These countermeasures come down to blacklisting and monitoring the “URL: document.location” or “HTTP referrer: document.referrer.”

In this scenario, blacklisting would mean blacklisting the site where the relay program was installed in. Blacklisting can be combined with a .htaccess access control file if Apache was involved.

Using a URL or HTTP referrer can also be instrumental in attacks such as Huyao. The URL or HTTP referrer can be used to compare the values obtained through JavaScript of the legitimate site and the site that copied the content. The owners of the legitimate sites can check where the request for data/content is coming from. A discrepancy between the two values signals suspicious activity that can then be properly flagged.

Security Predictions for 2018

Attackers are banking on network vulnerabilities and inherent weaknesses to facilitate massive malware attacks, IoT hacks, and operational disruptions. The ever-shifting threats and increasingly expanding attack surface will challenge users and enterprises to catch up with their security.Read our security predictions for 2018.

Business Process Compromise

Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more,
read our Security 101: Business Process Compromise.